Presentation is loading. Please wait.

Presentation is loading. Please wait.

ColdFusion Application Security: The Next Step Jason Dean www.12robots.com Boston ColdFusion User Group September 16 th, 2009.

Published byColin Nash Modified over 8 years ago

Similar presentations

Presentation on theme: "ColdFusion Application Security: The Next Step Jason Dean www.12robots.com Boston ColdFusion User Group September 16 th, 2009."— Presentation transcript:

1 ColdFusion Application Security: The Next Step Jason Dean www.12robots.com Boston ColdFusion User Group September 16 th, 2009

2 Web Application Developer with the Minnesota Department of Health (MDH)‏ User Group Manager of the MDH CFUG Web Development Blogger (http://www.12robots.com) Veteran of the U.S. Coast Guard Who I am

3 The Next Steps Request Forgeries Password Security Cookie Misuse/Exploits Session Management

4 Request Forgeries Hackers writing checks for your users to cash

5 That was confusing EXAMPLE deletePage.cfm?pageid=#pageID#

6 Request Forgeries Kay Bob Heh. The website is down!!! ??? Brrrriiiiiiinnnng Brrriiiinnnng Brrrrrriiinnng

7 Request Forgeries So What Happened?

8 Request Forgeries Kay Bob muwhahaha hackerForm.post();

9 So what can we do about it? The receiving action page/method probably:  Receives the request  Checks to make sure the user is authorized  Confirms that the ID is valid  Performs the action

10 How do we fix it?

11 How do we fix it? <cfif NOT StructKeyExists(form, "CSRFToken") OR NOT StructkeyExists(session.deleteForm, "CSRFToken") OR NOT StructkeyExists(session.deleteForm, "tokenExpires") OR NOT IsDate(session.deleteForm.tokenExpires) OR NOT session.deleteForm.CSRFToken EQ form.CSRFToken OR NOT DateDiff("s",Now(),session.deleteForm.tokenExpires) GT 0> Action Page/Method

12 Request Forgeries Question?

13 Password Security

14 Achieving a Secure Password Not Username Change Regularly Minimum Length Special Characters AlphaNumericLowercaseUppercase Not a Date Password1!

15 Password Security Right for the Site

16 Password Hashing What is it? Why Do it?

17 Hashing Example #hash1# #hash2# #hash3#

18 Hashing Example 472D46CB829018F9DBD65FB8479A49BB C2AF2111FF9C02C4EEE016CBCDF0D033 21AB8E7B12BA1793AB5156022492A5CD

19 Stronger Hashing Example In our previous example we had: Now let's add:

20 MD5 Result 472D46CB829018F9DBD65FB8479A49BB CBD672C9AAF85A22968C7BCF9FF90EED 10F1C46CAF873486E530570E7A298BBB

21 SHA-256 Result 7FA8A6E9FDE2F4E1DFE6FB029AF47C9633D4B7A616A42C3B2889C5226A 20238D ECB12086B0B57E445BED6C67EF6EB6C4F5A23360264646F9EF76E3E6679 87142 440CA7EEBEE13499DB9C01537442579C7E3B63C5F76F1B0A16DE18DDA7 E7704E

22 SHA-512 Result 27166A235CD42FB7E5A45CB89F542760373DCDC779E1697DB28301371890 4201D4D05537E63FD3815B596511C8704C50791C7BA3C504CAB516E62 2BDC6EC09C9 8C205EA4105BE9D89D44E84B4D00BCD52A84476180FEE63D99300AB4B2 3F2C30B77D6F7FD64D1B902F9BE85373D7394103EA58EDA174AD4589 2FDE0A56F0EF04 791FEDFCA713F52A42DDA68704213F5D8F5BC85953F385DF8D7835A7B32 FBFD16047C213883D46DC0834DB7A6F2549EAF7AB8CF264C8A6C9082 A2D0B5A420FFD

23 Hashing Question?

24 Password Salting Because users make stupid passwords

25 Salting Example Value 1 Hashed: #hash1# Value 2 Hashed: #hash2# Value 1 Salted and Hashed: #hash1Salted# Value 2 Salted and Hashed: #hash2Salted#

26 Salting Example Output Value 1 Hashed: 2AC9CB7DC02B3C0083EB70898E549B63 Value 2 Hashed: 2AC9CB7DC02B3C0083EB70898E549B63 Value 1 Salted and Hashed: BAD4613B67109FD512580E3E67511652 Value 2 Salted and Hashed: 3BB315CF3BA97066614C79832C939098

27 Password Hashing and Salting Question?

28 Session Management

29 What is a session? HTTP/1.1 200 OK index.cfm GET index.cfm HTTP/1.1 SessionID=3 SessionID=1 SessionID=2 Cookie: SessionID=3 Cookie: SessionID=1 Cookie: SessionID=2 Set-Cookie: SessionID=1 Cookie: SessionID=1 sessionid=0a30b0926a39d5d7327237217c552e387712

30 Session Token Types ColdFusion CFID & CFTOKEN Weak by default Can be made strong Persistent by default Can be set Session-Only Easier to manipulate token cookies Cannot be invalidated JEE JSESSIONID Strong by Default Session-Only by default Can be shared with JEE applications Can be invalidated

31 Session Persistence Sessions can be persisted in 3 ways In the URL String –http://www.12robots.com/mypage.cfm?CFID=2&CFTOKEN=10666880http://www.12robots.com/mypage.cfm?CFID=2&CFTOKEN=10666880 In POST request In a Cookie

32 Manipulating CF Token Cookies In Application.cfc: <cfheader name="Set-Cookie" value="CFID=#session.CFID#;secure=true;HTTPOnly" /> <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;secure=true;HTTPOnly" />

33 Manipulating JEE Token Cookies In Application.cfc: header = "jsessionid" & "=" & session.sessionid & ";domain=" & domain & ";path=" & path & ";" & secure & ";" & HTTPOnly; response.addHeader("Set-Cookie", header);

34 Session Logout (ColdFusion) In UserService.cfc: In Application.cfc:

35 Session Logout (J2EE) In UserService.cfc:

36 Session Management Question?

37 Cookie Security

38 Cookie Parameters Name Value Expires Path Domain Secure HTTPOnly

39 Cookie Domain and Path www.awesomebloggers.com 12robots.awesomebloggers.com domain=”.awesomebloggers.com” hacker.awesomebloggers.com domain=”.12robots.awesomebloggers.com” www.awesomebloggers.com/12robots Path=”/” www.awesomeblogers.com/hacker path=”/12robots”

40 Setting the HTTPOnly Flag

41 Questions? Please ask your questions now Comments? Jason Dean jason@12robots.com http://www.12robots.com

Download ppt "ColdFusion Application Security: The Next Step Jason Dean www.12robots.com Boston ColdFusion User Group September 16 th, 2009."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Twin Cities ColdFusion User Group Intro to Application Security Part 2 October 1st, 2008 Jason Dean

Twin Cities ColdFusion User Group Intro to Application Security Part 2 October 1st, 2008 Jason Dean
V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1.

V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health.

Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
JavaScript, Fourth Edition

JavaScript, Fourth Edition
Online ColdFusion Meetup ColdFusion Application Security: Beyond SQL Injection January 22 nd, 2009 Jason Dean

Online ColdFusion Meetup ColdFusion Application Security: Beyond SQL Injection January 22 nd, 2009 Jason Dean

Similar presentations

Ads by Google